Hijacking Traffic To Microsoft’s Windows.com With Bitflipping

A researcher was able to “bitsquat” Microsoft’s windows.com domain by cybersquatting variations of windows.com.

However, this technique differs from cases where typosquatting domains are used for phishing activities in that it requires no action on the victim’s part.

This is due to the nature of a concept known as bit flipping, which means adversaries can exploit this tactic to conduct automated attacks and collect real traffic.

What are bitsquatting and bit flipping?

In the world of computing, everything is stored in bits (zeros and ones) in memory behind the scenes.

This applies to domains too. For example, windows.com becomes 01110111… in the volatile memory of your computing device.

However, what if one of these bits got automatically flipped due to a solar flare, cosmic rays, or a hardware error? That is one of the 0’s becomes a 1 and vice versa.

According to security engineer and blogger Remy, this is a realistic possibility.

“Now let’s say that the computer is running too hot, a solar flare is happening, or a cosmic ray (very real thing) flips a bit on the computer,” says Remy.

“Oh no! Now the value stored in memory is whndows.com instead of windows.com! When the time comes to make a connection to that domain, what happens?”

Also Read: Data Centre Regulations Singapore: Does It Help To Progress

“The domain doesn’t resolve to an IP,” the researcher further explained.

Seeing that multiple such permutations of windows.com were possible, Remy came up with a list of “bit flipped” domains.

The researcher noticed out of the 32 valid domain names which were 1-bitflip permutations of windows.com, 14 were not registered by anyone, and up for grabs.

“This is a rather odd [occurrence] as usually these are bought up by a company like Microsoft to prevent their use for phishing attempts. So I bought them. All of them. For ~$126,” said Remy.

The domains bitsquatted by Remy included:windnws.com
windo7s.com
windkws.com
windmws.com
winlows.com
windgws.com
wildows.com
wintows.com
wijdows.com
wiodows.com
wifdows.com
whndows.com
wkndows.com
wmndows.com

The term bitsquatting entails cybersquatting domains which are slight variations of the legitimate domains (usually off by 1 bit).

The exploitation of bitsquatted domains tends to be automatic when a DNS request is being made from a computer impacted by a hardware error, solar flare, or cosmic rays, thereby flipping one of the bits of the legitimate domain names.

Researacher sees real windows.com traffic coming to his domains!

It may seem reasonable to dismiss this concept as a theoretical concern, but researchers have previously observed a decent success rate of bitsquatting attacks.

In a 2011 Black Hat paper, titled “Bit-squatting DNS Hijacking without Exploitation,” researcher Artem Dinaburg saw when he had squatted 31 bitsquatted variations of eight legitimate domains of multiple organizations, on an average 3,434 daily DNS requests came his way, that should otherwise have gone to the DNS servers for the legitimate domains.

Likewise, as soon as Remy squatted the aforementioned domains and setup sinkholes to record any traffic, the researcher noticed an uptick in legitimate traffic coming his way.

In addition to the traffic destined to windows.com, the researcher was also able to captured UDP traffic destined for Microsoft’s time server, time.windows.com, and TCP traffic meant to reach Microsoft’s services such as Windows Push Notification Services (WNS) and SkyDrive (former name of OneDrive).

“It should come as no surprise the NTP service that runs on all Windows machines worldwide with a default configuration using time.windows.com generated the most bit-flipped traffic.”

“I still got a lot of traffic for other items as well,” continued Remy in his blog post.

Various system services including the system’s clock rely on authoritative time servers around the world for running critical operations.

The fact that bitsquatting attacks remain practical to pull off, as seen by Remy, is problematic as a successful outcome by a malicious actor could create a lot of security problems for applications.

However, in addition to bitsquatted traffic, the researcher also saw a healthy amount of queries coming from users mistyping domain names.

Although some of these queries were clearcut cases of bitsquatting traffic, the researcher was surprised to see some traffic coming from domains misspelled by the end-users.

While it is unlikely that so many people would change their time servers to a mispelled windows.com, Remy admits that there is no verifiable way to prove that traffic originated from bitsquatting.

“Unfortunately, for the nature of bitsquatting there effectively isn’t any way to verifiable prove that these weren’t misspellings. The only information available to research is that which is sent with the request (such as referrer header and other headers),” Remy told BleepingComputer in an email interview.

However, past research from cybersecurity firm Bishop Fox has been taken into account the probability of both bitsquatting traffic and inbound traffic from misspellings and demonstrated success with bitsquatting.

“We’re aware of industry-wide social engineering techniques that could be used to direct some customers to a malicious website.”

“We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers,” a Microsoft spokesperson told BleepingComputer.

The problem isn’t unique to a particular company or the windows.com domain either.

“I’d played around with the idea for several years, but windows.com was the first example I was able to identify that would actually have a decent chance of being able to produce any provable research (due to it’s use in NTP).”

“Valid domain names that were bitflips of time.apple.com were researched alongside time.windows.com, but I found that all of the domains were already reserved,” Remy told BleepingComputer.

The researcher did not confirm, however, if it is Apple that owns all of the bitflipped domains.

Also Read: What Is A Governance Framework? The Importance And How It Works

Potential solutions to the bitsquatting problem

During the interview, the researcher offered some solutions that both domain admins and hardware companies could adopt to protect themselves against bitsquatting.

“On the preventative side, devices such as computers or smartphones can employ the use of ECC memory which protects against undetected memory data corruption.”

“This would help prevent such an occurrence happening in the first place.”

Of course, the simplest way to prevent bitsquatting attacks is to try and grab bitflipped variations of your own domain names as much as practically possible before a threat actor does.

“On the defensive side larger companies are easily able to identify and reserve domains that are likely to be used with phishing, bitsquatting, and IDN homoglyph attacks,” Remy further told BleepingComputer.

BleepingComputer has reached out to Microsoft for comment before publishing time and we are awaiting their response.

Update March 5, 2021: Added statement from Microsoft received after press time.